nginx服务,HTTPS_性能测试调优(辅助同事一起测试研究的)
来源:互联网 发布:仅限数据连接 编辑:程序博客网 时间:2024/06/17 15:02
通过线下虚拟机做实际测试,寻找 SSL 的优化方法
[root@fcdtest-haproxy ~]# ab -n 10000 -c 100 https://imga.yukusoft.com/cdntest.apk
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking imga.yukusoft.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.9.9
Server Hostname: imga.yukusoft.com
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /cdntest.apk
Document Length: 1895420 bytes
Concurrency Level: 100
Time taken for tests: 113.134 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 18966427184 bytes
HTML transferred: 18963635789 bytes
Requests per second: 88.39 [#/sec] (mean)
Time per request: 1131.335 [ms] (mean)
Time per request: 11.313 [ms] (mean, across all concurrent requests)
Transfer rate: 163717.15 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 10 83 59.0 68 532
Processing: 22 1046 88.5 1056 1572
Waiting: 0 27 23.7 20 228
Total: 32 1129 106.6 1123 2088
Percentage of the requests served within a certain time (ms)
50% 1123
66% 1132
75% 1141
80% 1148
90% 1179
95% 1225
98% 1291
99% 1369
100% 2088 (longest request)
[root@fcdtest-haproxy ~]# ab -n 10000 -c 100 https://imga.yukusoft.com/cdntest.apk
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking imga.yukusoft.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.9.9
Server Hostname: imga.yukusoft.com
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /cdntest.apk
Document Length: 1895420 bytes
Concurrency Level: 100
Time taken for tests: 113.258 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 18968364194 bytes
HTML transferred: 18965572520 bytes
Requests per second: 88.29 [#/sec] (mean)
Time per request: 1132.585 [ms] (mean)
Time per request: 11.326 [ms] (mean, across all concurrent requests)
Transfer rate: 163553.27 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 10 81 58.4 64 539
Processing: 23 1049 90.2 1061 1736
Waiting: 1 25 22.9 17 231
Total: 33 1130 108.6 1125 2241
Percentage of the requests served within a certain time (ms)
50% 1125
66% 1134
75% 1140
80% 1144
90% 1156
95% 1178
98% 1232
99% 1288
100% 2241 (longest request)
[root@fcdtest-haproxy ~]# ab -n 10000 -c 100 https://imga.yukusoft.com/cdntest.apk
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking imga.yukusoft.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.9.9
Server Hostname: imga.yukusoft.com
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /cdntest.apk
Document Length: 1895420 bytes
Concurrency Level: 100
Time taken for tests: 113.904 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 18958874160 bytes
HTML transferred: 18956083881 bytes
Requests per second: 87.79 [#/sec] (mean)
Time per request: 1139.035 [ms] (mean)
Time per request: 11.390 [ms] (mean, across all concurrent requests)
Transfer rate: 162545.69 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 10 90 70.4 61 527
Processing: 19 1048 108.2 1070 1817
Waiting: 0 27 23.9 19 202
Total: 30 1138 119.6 1132 2301
Percentage of the requests served within a certain time (ms)
50% 1132
66% 1144
75% 1152
80% 1158
90% 1183
95% 1222
98% 1272
99% 1378
100% 2301 (longest request)
[root@fcdtest-haproxy ~]# ab -n 10000 -c 100 https://imga.yukusoft.com/cdntest.apk
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking imga.yukusoft.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.9.9
Server Hostname: imga.yukusoft.com
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /cdntest.apk
Document Length: 1895420 bytes
Concurrency Level: 100
Time taken for tests: 113.093 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 18982953795 bytes
HTML transferred: 18980159889 bytes
Requests per second: 88.42 [#/sec] (mean)
Time per request: 1130.927 [ms] (mean)
Time per request: 11.309 [ms] (mean, across all concurrent requests)
Transfer rate: 163919.00 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 10 93 64.0 74 524
Processing: 17 1035 89.1 1046 1615
Waiting: 0 30 26.8 21 231
Total: 27 1128 103.2 1120 2118
Percentage of the requests served within a certain time (ms)
50% 1120
66% 1133
75% 1145
80% 1154
90% 1185
95% 1228
98% 1267
99% 1329
100% 2118 (longest request)
以上测试均是 HTTPS 在 MISS 情况的压测。
#1 #2 均是未调整 SSL 算法和 cache buffer
#3 #4 均是调整过 SSL 算法和 cache buffer
结论,通过总完成时间、并发请求完成时间、单一请求完成时间、链接处理完成平均时间对比,发现并无性能提升。
[root@fcdtest-haproxy ~]# ab -n 10000 -c 100 https://imga.yukusoft.com/cdntest.apk
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking imga.yukusoft.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.9.9
Server Hostname: imga.yukusoft.com
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /cdntest.apk
Document Length: 1895420 bytes
Concurrency Level: 100
Time taken for tests: 112.750 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 18958885699 bytes
HTML transferred: 18956095420 bytes
Requests per second: 88.69 [#/sec] (mean)
Time per request: 1127.503 [ms] (mean)
Time per request: 11.275 [ms] (mean, across all concurrent requests)
Transfer rate: 164208.29 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 11 68 54.0 55 544
Processing: 22 1058 83.5 1064 1561
Waiting: 1 25 20.8 19 195
Total: 35 1126 105.2 1119 2085
Percentage of the requests served within a certain time (ms)
50% 1119
66% 1129
75% 1137
80% 1144
90% 1175
95% 1220
98% 1290
99% 1394
100% 2085 (longest request)
[root@fcdtest-haproxy ~]# ab -n 10000 -c 100 https://imga.yukusoft.com/cdntest.apk
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking imga.yukusoft.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.9.9
Server Hostname: imga.yukusoft.com
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /cdntest.apk
Document Length: 1895420 bytes
Concurrency Level: 100
Time taken for tests: 115.199 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 18956990000 bytes
HTML transferred: 18954200000 bytes
Requests per second: 86.81 [#/sec] (mean)
Time per request: 1151.994 [ms] (mean)
Time per request: 11.520 [ms] (mean, across all concurrent requests)
Transfer rate: 160701.20 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 11 79 54.1 69 543
Processing: 21 1071 85.4 1074 1588
Waiting: 1 25 20.5 18 187
Total: 33 1150 106.9 1145 2075
Percentage of the requests served within a certain time (ms)
50% 1145
66% 1155
75% 1163
80% 1169
90% 1187
95% 1207
98% 1266
99% 1393
100% 2075 (longest request)
[root@fcdtest-haproxy ~]# ab -n 10000 -c 100 https://imga.yukusoft.com/cdntest.apk
This is ApacheBench, Version 2.3 <$Revision: 655654 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking imga.yukusoft.com (be patient)
Completed 1000 requests
Completed 2000 requests
Completed 3000 requests
Completed 4000 requests
Completed 5000 requests
Completed 6000 requests
Completed 7000 requests
Completed 8000 requests
Completed 9000 requests
Completed 10000 requests
Finished 10000 requests
Server Software: nginx/1.9.9
Server Hostname: imga.yukusoft.com
Server Port: 443
SSL/TLS Protocol: TLSv1/SSLv3,ECDHE-RSA-AES256-GCM-SHA384,2048,256
Document Path: /cdntest.apk
Document Length: 1895420 bytes
Concurrency Level: 100
Time taken for tests: 112.297 seconds
Complete requests: 10000
Failed requests: 0
Write errors: 0
Total transferred: 18958885699 bytes
HTML transferred: 18956095420 bytes
Requests per second: 89.05 [#/sec] (mean)
Time per request: 1122.975 [ms] (mean)
Time per request: 11.230 [ms] (mean, across all concurrent requests)
Transfer rate: 164870.50 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 10 77 66.2 63 704
Processing: 25 1045 97.7 1051 1885
Waiting: 1 26 22.1 19 210
Total: 35 1121 132.9 1115 2516
Percentage of the requests served within a certain time (ms)
50% 1115
66% 1125
75% 1133
80% 1139
90% 1163
95% 1199
98% 1255
99% 1375
100% 2516 (longest request)
测试方法:
通过增量测试 Nginx 参数,reload Nginx,然后分别通过 chrom ,IE10 进行访问,每次访问都要刷新浏览器。同时开启 WireShark 抓包。
测试节点:
北京 PC 机固定 host 访问山西联通 edge
测试参数:
proxy_ssl_session_reuse on;
ssl_session_cache shared:SSL:50m;
ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL;
#ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
ssl_session_tickets on;
ssl_buffer_size 1460;
tcp_nodelay on;
测试结果:
chrom 测试:
#1 调整任何参数,对 SSL 的验证时间都不会产生明显的优化效果,
从 TCP 三次握手到 SSL 握手成功,总共耗时 45-50ms 左右,
TCP 建联的 RTT 消耗在 20ms 左右。
#2 服务端每次增量修改 Nginx 配置 reload 后,都会触发 chrom 客户端的 ssl_session_ticket。
IE 10 测试:
#1 调整任何参数,对 SSL 的验证时间都不会产生明显的优化效果,
但从 TCP 三次握手到 SSL 握手成功,总共耗时 90ms 左右,比 chrom 测试多了 2 倍 RTT。
TCP 建联的 RTT 消耗在 20ms 左右。
#2 服务端每次增量修改 Nginx 配置 reload 后,都不会触发 IE 客户端的 ssl_session_ticket。
其他测试(openssl 证书性能验证)
测试方法:
通过 openssl s_time -connect test.fastweb.com.cn:443 方法,验证两台 TTL 不同的机器(跳板机到目标的 TTL)。每次增量修改 Nginx 配置,两台机器保持一致。
221.204.202.115 test.fastweb.com.cn (TTL 52)
202.150.18.15 test.fastweb.com.cn(TTL 49)
针对证书的生成方式上又做了相关的调整验证,测试结果还在用基调观测中。
测试方法:
openssl ecparam -name secp256k1 -genkey -noout -out myecdsa.private.key
openssl req -new -sha256 -key [私钥地址] -out [想要csr的地址]
openssl req -new -nodes -x509 -key [私钥地址] -out [想要的crt的地址] -days [想要的天数]
测试结果:
使用新生成的证书布置到线上,目前基调只采出了一个调整后的点,性能耗时已经下来,但还需大量的数据采集来验证。
测试结论:
通过近几天的测试,发现 Nginx 能控制的参数基本都是在网络层面,而现在能够看到我们的瓶颈还是在证书验证上出现问题(已经证实证书的验证时间长短和 RTT 有直接关系,但是目前已经将 RTT 保持本地设备覆盖,所以 RTT 问题基本可以忽略)。
最新测试结果:
#1 通过 openssl s_time -connect 的测试方法,验证快网的证书,在 reuse 时候,经常会出现重用失败的现象。
该现象会随机出现在任意 c06.i06 平台节点。Nginx 上已经配置过 proxy_ssl_session_reuse
ssl_session_cache 相关参数。但是无法解决重用失败的现象。
#2 通过抓包发现,目前时间开销出现在两个地方。
客户端验证证书直到服务端交换秘钥完成。
客户端和发送 Application Data,到服务端接收。
[root@ctl-jx-059-063-188-151 ~]# openssl s_time -connect test.fastweb.com.cn:443
No CIPHER specified
Collecting connection statistics for 30 seconds
*********************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************
477 connections in 1.45s; 328.97 connections/user sec, bytes read 0
477 connections in 31 real seconds, 0 bytes read per connection
Now timing with session id reuse.
starting
*****r****rrr*****r*r**r***r*******r******rrrr****r*rr*r*****r****r**********r*******r*****r*****rr**r*****r**rr*rr***r***************r************r*r**********************r*********r**r*r**r*************rr**r********rr******r**r***r*****r*r******r*rrrr****rr*****r***r********r***rr*******r*rr****r***rr***r*r**r********r*r******r*****r***r**r********r******r********r****r***r*r**r******rrr*********r****r*****r***r****r**r*r*****r****r****r*r*r*******r*********r****r**rr*r**r**rr**************r***rrr*rrr**r***r*****
520 connections in 1.28s; 406.25 connections/user sec, bytes read 0
520 connections in 31 real seconds, 0 bytes read per connection
目前 Nginx 配置如下:
server {
listen 443;
server_name test.fastweb.com.cn;
ssl on;
ssl_certificate /*/nginx/ssl/auto_test.fastweb.com.cn(0).crt;
ssl_certificate_key /*/nginx/ssl/auto_test.fastweb.com.cn(1).key;
access_log "|/usr/sbin/cronolog -p '1 min' /*/logs/%Y%m%d%H%M/nginx-test.fastweb.com.cn-%Y%m%d%H%M.log" main;
error_log "|/usr/sbin/cronolog /*/logs/err_log/%Y%m%d_test.fastweb.com.cn_error.log";
################################
#新增关于 ocsp 的配置
################################
ssl_stapling on;
ssl_stapling_verify on;
resolver DNS_IP valid=300s;
resolver_timeout 10s;
ssl_trusted_certificate /opt/nginx/ssl/gd_bundle-g2-g1.crt;
ssl_stapling_file /opt/nginx/ssl/stapling_ocsp;
add_header Strict-Transport-Security "max-age=31536000";
################################
#END
################################
################################
#新增关于 nginx 的配置
################################
proxy_ssl_session_reuse on;
ssl_session_cache shared:ssl:50m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
ssl_prefer_server_ciphers on;
ssl_session_tickets on;
ssl_buffer_size 128;
################################
#END
################################
location / {
add_header X-Cache "PASS from front.ssl.nginx";
proxy_pass_header User-Agent;
proxy_pass http://local_fastcache;
}
}
目前优化瓶颈:
即使配置过 OCSP 和 Nginx 的参数后,但依然无法提升基调数据的性能
测试结束:
总结调优完的效果:
从 1.5 号起,对 vivo 进行线上优化参数部署,主要分为:Nginx 参数, OCSP 证书参数,两部分。
测试效果数据已经添加到附件中,数据无明显好转,目前已经恢复到测试之前的状况。
主要影响数据不稳定的因素:
高点基本上很多都是 RTT 不稳定的情况,一般都很大。
快网证书的性能确实不如友商证书性能高,retry 时总会有失败的情况
- nginx服务,HTTPS_性能测试调优(辅助同事一起测试研究的)
- 性能测试之Nginx性能调优课程
- WEB性能测试研究
- Redis性能测试研究
- webpy+nginx性能测试
- 性能测试之场景设计思想(加了N多同事的观点,也是对之前一段时间产品性能测试的总结)
- 如何测试Nginx的高性能
- 如何测试Nginx的高性能
- 如何测试Nginx的高性能
- 性能测试服务日记
- 性能测试服务日记
- 利用[Pear]Benchmark来辅助性能测试
- 【性能测试思想】性能测试技术的研究_关于性能测试业务场景设计的研究
- 性能测试技术的研究_关于性能测试业务场景设计的研究
- 性能测试(三):性能测试怎么调优
- 性能测试(三):性能测试怎么调优
- 如何进行web服务的性能测试?
- 如何进行Web服务的性能测试?
- spring java bean加载配置
- Spring, MyBatis 多数据源的配置和管理
- 全网视频网站破解序言
- python 爬虫教程
- dubbo之linux系统下搭建分布式服务框架
- nginx服务,HTTPS_性能测试调优(辅助同事一起测试研究的)
- Pacer历史
- Spring和MyBatis整合出错记录
- Retrofit 的初级入门
- java远程连接oracle的配置
- OpenGL ES简介
- Binder大总结
- Java垃圾回收机制(2)
- Python3 cookbook学习笔记-数据结构与算法3